Previously we weren't checking this when visiting the /sso page,
or when hitting a callback. This is both incorrect behaviour and
a security issue as it can be used to join a group.

We don't check this on metadata endpoints still, since they are
used before SAML is configured for the group.